[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 2289 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  2d Session
                                S. 2289

 To create an Office of Cybersecurity at the Federal Trade Commission 
  for supervision of data security at consumer reporting agencies, to 
  require the promulgation of regulations establishing standards for 
   effective cybersecurity at consumer reporting agencies, to impose 
penalties on credit reporting agencies for cybersecurity breaches that 
      put sensitive consumer data at risk, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            January 10, 2018

Ms. Warren (for herself and Mr. Warner) introduced the following bill; 
which was read twice and referred to the Committee on Banking, Housing, 
                           and Urban Affairs

_______________________________________________________________________

                                 A BILL


 
 To create an Office of Cybersecurity at the Federal Trade Commission 
  for supervision of data security at consumer reporting agencies, to 
  require the promulgation of regulations establishing standards for 
   effective cybersecurity at consumer reporting agencies, to impose 
penalties on credit reporting agencies for cybersecurity breaches that 
      put sensitive consumer data at risk, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Data Breach Prevention and 
Compensation Act of 2018''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Career appointee.--The term ``career appointee'' has 
        the meaning given the term in section 3132(a) of title 5, 
        United States Code.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Covered breach.--The term ``covered breach'' means any 
        instance in which at least 1 piece of personally identifying 
        information is exposed or is reasonably likely to have been 
        exposed to an unauthorized party.
            (4) Covered consumer reporting agency.--The term ``covered 
        consumer reporting agency'' means--
                    (A) a consumer reporting agency described in 
                section 603(p) of the Fair Credit Reporting Act (15 
                U.S.C. 1681a(p)); or
                    (B) a consumer reporting agency that earns not less 
                than $7,000,000 in annual revenue from the sales of 
                consumer reports.
            (5) Director.--The term ``Director'' means the Director of 
        the Office of Cybersecurity.
            (6) Detail.--The term ``detail'' means a temporary 
        assignment of an employee to a different position for a 
        specified period, with the employee returning to his or her 
        regular duties at the end of the detail.
            (7) Personally identifying information.--The term 
        ``personally identifying information'' means--
                    (A) a Social Security number;
                    (B) a driver's license number;
                    (C) a passport number;
                    (D) an alien registration number or other 
                government-issued unique identification number;
                    (E) unique biometric data, such as faceprint, 
                fingerprint, voice print, iris image, or other unique 
                physical representations;
                    (F) an individual's first and last name or first 
                initial and last name in combination with any 
                information that relates to the individual's past, 
                present, or future physical or mental health or 
                condition, or to the provision of health care to or 
                diagnosis of the individual;
                    (G)(i) a financial account number, debit card 
                number, or credit card number of the consumer; or
                    (ii) any passcode required to access an account 
                described in clause (i); and
                    (H) such additional information, as determined by 
                the Director.

SEC. 3. CYBERSECURITY STANDARDS AND FTC AUTHORITY.

    (a) Establishment.--There is established in the Commission an 
Office of Cybersecurity, which shall be headed by a Director, who shall 
be a career appointee.
    (b) Duties.--The Office of Cybersecurity--
            (1) shall--
                    (A) supervise covered consumer reporting agencies 
                with respect to data security;
                    (B) promulgate regulations for effective data 
                security for covered consumer reporting agencies, 
                including regulations that require covered consumer 
                reporting agencies to--
                            (i) provide the Commission with 
                        descriptions of technical and organizational 
                        security measures, including--
                                    (I) system and network security 
                                measures, including--
                                            (aa) asset management, 
                                        including--

                                                    (AA) an inventory 
                                                of authorized and 
                                                unauthorized devices;

                                                    (BB) an inventory 
                                                of authorized and 
                                                unauthorized software, 
                                                including application 
                                                whitelisting; and

                                                    (CC) secure 
                                                configurations for 
                                                hardware and software;

                                            (bb) network management and 
                                        monitoring, including--

                                                    (AA) mapped data 
                                                flows, including 
                                                functional mission 
                                                mapping;

                                                    (BB) maintenance, 
                                                monitoring, and 
                                                analysis of audit logs;

                                                    (CC) network 
                                                segmentation; and

                                                    (DD) local and 
                                                remote access 
                                                privileges, defined and 
                                                managed; and

                                            (cc) application 
                                        management, including--

                                                    (AA) continuous 
                                                vulnerability 
                                                assessment and 
                                                remediation;

                                                    (BB) server 
                                                application hardening;

                                                    (CC) vulnerability 
                                                handling such as 
                                                coordinated 
                                                vulnerability 
                                                disclosure policy; and

                                                    (DD) patch 
                                                management, including 
                                                at, or near, real-time 
                                                dashboards of patch 
                                                implementation across 
                                                network hosts; and

                                    (II) data security, including--
                                            (aa) data-centric security 
                                        mechanisms such as format-
                                        preserving encryption, 
                                        cryptographic data-splitting, 
                                        and data-tagging and lineage;
                                            (bb) encryption for data at 
                                        rest;
                                            (cc) encryption for data in 
                                        transit;
                                            (dd) systemwide data 
                                        minimization evaluations and 
                                        policies; and
                                            (ee) data recovery 
                                        capability; and
                            (ii) create and maintain documentation 
                        demonstrating that the covered consumer 
                        reporting agency is employing reasonable 
                        technical measures and corporate governance 
                        processes for continuous monitoring of data, 
                        intrusion detection, and continuous evaluation 
                        and timely patching of vulnerabilities;
                    (C) annually examine the data security measures of 
                covered consumer reporting agencies for compliance with 
                the standards promulgated under subparagraph (B);
                    (D) investigate any covered consumer reporting 
                agency if the Office has reason to suspect a potential 
                covered breach or noncompliance with the standards 
                promulgated under subparagraph (B);
                    (E) after consultation with members of the 
                technical and academic communities, develop a rigorous, 
                repeatable methodology for evaluating, testing, and 
                measuring effective data security practices of covered 
                consumer reporting agencies, that employs forms of 
                static and dynamic software analysis and penetration 
                testing;
                    (F) submit to Congress an annual report on the 
                findings on any investigation under subparagraph (C);
                    (G) determine whether covered consumer reporting 
                agencies are complying with the regulations promulgated 
                under subparagraph (B); and
                    (H) coordinate with the National Institute of 
                Standards and Technology and the National Cybersecurity 
                and Communications Integration Center of the Department 
                of Homeland Security; and
            (2) may--
                    (A) investigate any breach to determine if the 
                covered consumer reporting agency was in compliance 
                with the regulations promulgated under paragraph 
                (1)(B); and
                    (B) if the Commission has reason to believe that 
                any covered consumer reporting agency is violating, or 
                is about to violate, a regulation promulgated under 
                paragraph (1)(B), bring a suit in a district court of 
                the United States to enjoin any such act or practice.
    (c) Staff.--
            (1) In general.--The Director shall, without regard to the 
        civil service laws and regulations, appoint such personnel, 
        including computer security researchers and practitioners with 
        technical expertise in computer science, engineering, and 
        cybersecurity, as the Director determines are necessary to 
        carry out the duties of the Office.
            (2) Details.--An employee of the National Institute of 
        Standards and Technology, the Bureau of Consumer Financial 
        Protection, or the National Cybersecurity and Communications 
        Integration Center of the Department of Homeland Security may 
        be detailed to the Office, without reimbursement, and such 
        detail shall be without interruption or loss of civil service 
        status or privilege.

SEC. 4. NOTIFICATION AND ENFORCEMENT.

    (a) Notification.--Not later than 10 days after a covered breach, 
the covered consumer reporting agency that was subject to the covered 
breach shall notify the Commission of the covered breach.
    (b) Penalty.--
            (1) In general.--In the event of a covered breach, the 
        Commission shall, not later than 30 days after the date on 
        which the Commission receives notification of the covered 
        breach, commence a civil action to recover a civil penalty in a 
        district court of the United States against the covered 
        consumer reporting agency that was subject to the covered 
        breach.
            (2) Determining penalty amount.--
                    (A) In general.--Except as provided in subparagraph 
                (B), in determining the amount of a civil penalty under 
                paragraph (1), the court shall impose a civil penalty 
                on a covered consumer reporting agency of--
                            (i) $100 for each consumer whose first and 
                        last name, or first initial and last name, and 
                        at least 1 item of personally identifying 
                        information was compromised; and
                            (ii) an additional $50 for each additional 
                        item of personally identifying information 
                        compromised for each consumer.
                    (B) Exception.--
                            (i) In general.--Except as provided in 
                        clause (ii), a court may not impose a civil 
                        penalty under this subsection in an amount 
                        greater than 50 percent of the gross revenue of 
                        the covered consumer reporting agency for the 
                        previous fiscal year before the date on which 
                        the covered consumer reporting agency became 
                        aware of the covered breach.
                            (ii) Penalty doubled.--A court shall impose 
                        a civil penalty on a covered consumer reporting 
                        agency double the penalty described in 
                        subparagraph (A), but not greater than 75 
                        percent of the gross revenue of the covered 
                        consumer reporting agency for the previous 
                        fiscal year before the date on which the 
                        covered consumer reporting agency became aware 
                        of the covered breach if--
                                    (I) the covered consumer reporting 
                                agency fails to notify the Commission 
                                of a covered breach before the deadline 
                                established under subsection (a); or
                                    (II) the covered consumer reporting 
                                agency violates any regulation 
                                promulgated under section 3(b)(1)(C).
            (3) Proceeds of the penalties.--Of the penalties assessed 
        under this subsection--
                    (A) 50 percent shall be used for cybersecurity 
                research and inspections by the Office of 
                Cybersecurity; and
                    (B) 50 percent shall be used by the Commission to 
                be divided fairly among consumers affected by the 
                covered breach.
            (4) No preemption.--Nothing in this subsection shall 
        preclude an action by a consumer under State or other Federal 
        law.
    (c) Injunctive Relief.--The Commission may bring suit in a district 
court of the United States or in the United States court of any 
Territory to enjoin a covered consumer reporting agency to implement or 
correct a particular security measure in order to promote effective 
security.

SEC. 5. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated $100,000,000 to carry out 
this Act, to remain available until expended.
                                 <all>